|
| |
 Objectives |
| |
Our information security management has three objectives: |
| |
I. Confidentiality: Legal access to information;
II. Integrity: Keep information or information systems correct and complete;
III. Availability: Information or information systems are available when they are needed; |
| |
|
| |
Details of the three objectives are as follows: |
| |
I. Confidentiality |
| |
|
Information saved in, processed by, or transmitted via, information systems of the Administration, shall be treated as strictly confidential: |
| |
|
(I) |
For remote access to Intranet information of the Administration, a prevention mechanism shall be established to preclude information being obtained by other people illegally during transmission; |
| |
|
(II) |
Confidential information saved in internal information system (including electronic documents or paper documents) shall be properly protected. |
| |
|
(III) |
Audit records containing detailed information about important activities shall be properly protected. Only authorized personnel can read or use them. |
| |
|
|
| |
II. Integrity |
| |
|
We shall protect data saved in, processed by or transmitted via, information systems of the Administration from being falsified and protect information systems from being operated improperly or invaded by illegal person.
|
| |
|
(I)
|
For remote access to Intranet information of the Administration, a prevention mechanism shall be established to preclude information being falsified by other people illegally during transmission; |
| |
|
(II) |
Information with higher confidential degrees that are saved in internal information systems of the Administration shall be properly protected; |
| |
|
(III)
|
Tighten management and control of the authority of information access, and weak points and potential dangers in information access for maintaining the integrity of information. |
| |
|
|
| |
III. Availability |
| |
|
On the condition that the normal operation of information systems can be ensured, when a legal user asks for the use of information systems (such as receiving/sending e-mails and OA application system, etc), the user shall be responded to in a timely manner and his service requirements satisfied. Availability shall be carefully considered together with confidentiality and integrity in order to achieve our planned objectives. For example, online information encryption or recording audit data will affect the system's response time or cause denial of service, and therefore, availability cannot be satisfied.
See the following descriptions for the details and implementation modes in practice of the above three objectives: |
| |
|
|
| |
IV. Set specific information security objectives |
| |
|
On the basis of CIA, we set the following security objectives: |
| |
|
(I) |
Reduce bug numbers of application systems by 10% |
| |
|
(II) |
Reduce the number of attacks by computer virus by 10% |
| |
|
(III) |
Maintain the availability of key host systems at 99.5% |
| |
|
(IV) |
Reduce the number of information security accidents by 10% |
| |
|
hese objectives shall be revised each year and then submitted to the Information Security Guiding Committee for examination and approval. |
| |
|
|
| |
V. Set indices of information security |
| |
|
Indices of information security shall be made according to security objectives. Indices of information security include:
|
| |
|
(I) |
Bug numbers of application systems |
| |
|
(II) |
Number of attacks by computer virus |
| |
|
(III) |
Availability of key host systems |
| |
|
|
| |
VI. The method for collecting the above indices of information security |
| |
|
A mechanism for collecting the above mentioned indices for information security shall be established in the information security management system in order to assess the effects. The mechanism shall include the following items:
|
| |
|
(I) |
Information security procedures, I-ISMS2201-XX |
| |
|
|
1. 2.4 Information security accidents management
2. 2.8 Performance of the monitoring system
3. 2.11 Management of the use of intellectual assets
4. 2.12 Security inspection of internal information |
| |
|
(II) |
Procedures for handling information security accidents I-ISMS2304-XX |
| |
|
(III) |
Management of continuous business operation I-ISMS2305-XX |
| |
|
(IV) |
Methods for security inspection on internal information I-ISMS2306-XX |
| |
|
(V) |
Security inspection and access control I-ISMS2322-XX |
| |
|
|
| |
VII. Submit summary information on information security accidents |
| |
|
Submit quarterly summarized information on information security accidents to the Information Security Guiding Committee or the meeting of the Taiwan Railway Administration in order to explain the performance of the information security management system. |
| |
|
|
|
